British anti-virus pioneer Dr Alan Solomon is so convinced that AV software no longer works that he gave up using it a “long time ago” and solved his security worries by moving from Windows to Linux, the iconic figure has said in a blog.

John McAfee rubbishing the software that still carries his name was one thing but Solomon’s more clinical disassembly of an industry he helped create in the 1990s with Dr Solomon’s highly-regarded Anti-Virus Toolkit (bought by Network Associates in 1998 for $642 million) is more like a well-aimed punch in the solar plexus.

This should be even more true now that we know just how sophisticated malware has become. Here's a current example, Regin.

Some of you out there may be aware that I've had some serious tussles with malware infecting home computers I have tried to maintain for friends who are still tied to Windows by employers. In three cases I ended up totally replacing all software, after confirming that the hardware functioned perfectly under Linux. I've run scans from four different reputable antivirus companies without isolating any apparent malware, despite the machines in question being essentially unusable.

All three machines suffered a breakdown in networking software and Windows Update. Unfortunately, this doesn't lead to anything very specific. That whole subsystem is a house of cards which has repeatedly failed in the past due to problems not caused by malicious software.

I was particularly bothered by not having any clues about how to trace the problem to a source of infection, so I could plug the hole. This has changed in one sense: on November 24 a full scan showed definite malware on one restored machine at a time when nobody had been using it. The simplest explanation is that there was an infection already in the system after I replaced both the software and the disk holding it, but this was not found until it received an updated signature. This was about the time news about Regin broke, but this identification is complicated by the sheer number of malware programs listed at the same time. There is no question the infected system had a number of password protected files I could not explain.

The antivirus used at that time gave me a cryptic reference which doesn't match any other identifier used by other companies. When I have time, I intend to recreate the corrupted system on a separate disk, then use a variety of virus scanners with current signatures to see if I can gain a better idea of what caused these problems. If I were running a business, I would not want to bet on Windows remaining functional.

Never ever used antivirus on windows. Had no infections in over 10 years.
Never had to reinstall either....oldest 2000 is around 10 years now too.

As long as the gateways are present infections will happen regardless of whatever placebo software you have. The same software does not prevent gross stupidity either ...the main cause of problems on the hardened recent releases of windows....download and run in spite of warnings.

End of story really

Mike

ps antivirus seemed a waste of time anyway...a new virus can infect the world in a matter of minutes....the best antiv may take days to catch on to the new threat.

...As long as the gateways are present infections will happen regardless of whatever placebo software you have. The same software does not prevent gross stupidity either ...the main cause of problems on the hardened recent releases of windows....download and run in spite of warnings.

End of story really...

I'm curious about those "gateways". Does this mean your Windows installations were not connected to anything else? In that case I can agree.

I will also agree if you are talking about people using dodgy sites like Yahoo! or Facebook.

As for "gross stupidity", does that include installing Google Chrome or Adobe Flash Player? Some problems with these I've successfully traced were caused by browser helper objects actually installed by M$ in some of its many incarnations, like bing or Skype Click-to-Call. (Bing also helpfully directs people searching for Google Chrome downloads to sites that add their own questionable product downloads.) Personally, I think anyone agreeing to pay for a product with a M$ EULA is guilty of gross stupidity from a legal standpoint. You might check on an organization calling itself Clickbank, which has emulated the M$ strategy of getting people to agree to hold them not responsible for rape and pillage via terms of service needed to do anything.

Hardening a machine running a M$ product today, rather than 10 years ago, should probably include packing the power cord socket full of Bondo.

User stupidity...downloading dubious software when an ad flashes at you for smilies or fix yer machine software...

these are machines connected to the internet... a router helps block the netbios/samba/rpc gateways otherwise there is a need for a bit of hacking/disabling for those.

browser helper objects...there is yer clue.

Your gateways are IE/outlook express/WMP7+/Msn messenger and automatic updates..and any software that uses trident and related active x controls, their abysmal security models let just about anything through with ease...the zone system is part of this mess and protects nothing... vista and newer have wrapped these up in cotton wool and do seem to require some user intervention now hence the stupidity thing.

Remove this bundled software as best you can and miraculously apart from a more stable system the bombardment of malware et al ceases.

Not using it is not quite sufficient as there is the integration of the desktop to bear in mind.

Funny really i never have had a problem via flash or java although the latter can be easily used via a hacked website it seems by tricking users into downloading software. To be honest if a website is hacked its going to be a no go zone generally.

By the way I do not browse carefully...I even used to goto dodgy ecard emails to see if I was safe.

As it happens I discovered all this because the computer seized up if making a few bookmarks in IE and had to be reset all the time...outlook took 10 minutes to even lauch, messenger was infection city and in a search for something better tried firefox and alternative email and chat software.... then found IE eradicator from 98lite and then learned about all the joys of the software I had just removed.

I'm glad you clarified that Mike. I nearly mistook you for a M$ fanboy.

ActiveX controls are simply software wrappers around raw machine code. You can tell because they are decidedly non-portable. Because they have access to the raw machine keeping them out of trouble requires some pretty sophisticated work with virtual machines. Easier to eliminate them entirely.

Various "enhancements and extensions" to HTML, Javascript and Java nearly destroyed portability of browsers, as certain companies wanted. To this day it is hard to say how well common browsers conform to published standards, unless you consider IE11 as the standard, which makes this a tautology. I'm not sure anyone really knows exactly what IE11 does. I'm not even sure how many defective implementations of software objects M$ has produced. (Remember OLE 1 and 2? Those are ancient history.)

I recently went through a dialogue about "dangerous sites" with a friend, who felt that he was safe because he "never visited porn sites". My demonstration involved booting a Puppy derivative (Fatdog 64) and using my (updated) Firefox browser with NoScript, running in RAM, to check on what his familiar sites were doing. I tried his local newspaper site, which needed permission to display the home page. This paper was part of a syndicate, advertising group, etc. A second level of scripts brought them in. These companies then sold advertising to still others, which required a third level of scripting. I think it was on the 4th level of scripts that the ad appeared which offered to connect me with "hot single women" in my area.

My friend said he would never click on that ad. This is where I pointed out that the browser was already running code from that site in order to display the ad. At this point, I asked if he knew anyone at that small newspaper who seemed like an IT security expert. No. Did he realize how thoroughly dependent the newspaper was on advertising revenue to stay in business? Yes. How carefully do you think they check scripts used by advertisers before they run them? How well do they know these advertisers? More to the point, how much do you trust the people who prepared that ad about "hot single women"? Not much.

This is where the level-zero malware droppers get in, and it is not always immediately clear if an unfamiliar program which doesn't do anything obviously malicious is malware or not. Many legitimate programs use encryption to protect intellectual property or prevent alteration of their code. Unfortunately, the suppliers of common software are busy changing things at a pace which makes it virtually impossible to decide if every changed program is legitimate. (I have a call today to check on just such a problem. It might be OK, but I'm willing to bet against that.) This leaves wide open the question of unintentional bugs which open a system up to exploits, as we just learned in the case of Shellshock. (OK, that one counts as deliberate code intended for debugging, rather than malicious code. If we have to worry about criminal intent we will be like a legal system which can allow murderers to walk free.)

The malware with which I just had that tussle produced a symptom called "the Green Ribbon of Death". Unfortunately, this has turned up repeatedly in systems which were not apparently infected, all the way back to Windows Vista. One thing going on in these cases was that the OS was scanning every file in order to index it for quick searches and/or prepare thumbnails of pictures and videos. A program which accesses every file on the disk is an obvious target for anyone looking for exploitable information in a system. Video codecs require access to the bare machine for reasons of speed, which makes them popular with malware producers. This system service could invoke every codec already installed. If you have a list of zero-day vulnerabilities in common codecs, or a list of known vulnerabilities a particular user may not have patched, this looks like an ideal means of checking for weaknesses you can exploit.

The Regin malware, for which I supplied the link above, was not terribly stealthy compared to other malware. It was, however, designed to make it very difficult to trace this back to a source. While it used encryption repeatedly, it did not exploit the level of obfuscation seen in some botnet control software, which uses encryption incorporating the MAC address of the network adapter so that each machine has a unique key. Once that kind of sophistication becomes common, signature-based scanning will be virtually useless.

Hmm turning off that indexing of files is one of my first things I do....an inadvertant security measure perhaps

No...not a fanboy...I use computers and want them to work quickly and reliably.

Note that .NET is a huge pile of active x controls to create a virtual machine on machine... worrying really.

As for web page scripts only IE (and outlook etc) would attempt to run scripts in media fortunately... for everyone else that just leaves javascript...an annoyance but does it go any further than a crash in most browsers? Notice that outlook no longer uses the trident engine (express does I believe). Actually as a fanboy I would know the ins and outs of windows 8/9/10 but I only recently had a play with 7 for the first time to see if the bunny could be streamlined and how safe it actually was. It actually seems to do a fairly good job of removing IE at least in part. The trident engine in itself is ok as long as software using it does not let it near the net or potential threats.

The browser integration...I believe was MS attempt to own the emerging internet by creating windows only pages via their frontpage software and IE that matched its non standardness.....oh yes and propriety active x controls.

In my limited book for ANY code to be a threat it has to be added to a machine and then run.... if there is no mechanism for that apart from a human then it ceases to be a threat.

Linux is nice as it seems to lack such ridiculous security blunders... there may be obscure methods somewhere in there but why bother when windows continues to be such an easy target..after all its mainly idiots trying to make a quick buck in some way and they have not the brains or the resources to crack anything difficult.

One point that always occurred to me...If a big dummy like me with very limited computer knowledge at the time can harden a system to the extent that it's safe in practical day to day terms how come the mighty MS and all these security experts appears to continue to fail to achieve the same...unless of course its in their financial interests to perpetuate the problem.

The flip side is while there is an easy target more secure systems continue to be relatively left alone.... now there's a generalisation

Unfortunately named malware category: PUP. Potentially Unwanted Program. This acronym will inevitably be expressed in lower case, and be an extra confusion for new users of Puppy Linux. I just removed one of these slithering varmints from a Win7 laptop, named crawler.com, which provides a gateway for an entire suite of junkware, like the rogue AV, Spyware Clear.

O.K. bark_bark_bark, let's see a web page that is not devoted to advertising. Even this one has some.

clickjacking is one of the problems that bothers me, and it can be more subtle than you might think. Take a look at what is possible just in terms of changing appearance using CSS. You can make a page so confusing that people will click on a button which means the opposite of what they intend. Other ways to do this are to make the active region for the button you want people to click large, and the opt-out region small -- without changing appearance at all.

Drive-by-downloads are all over the place, and it is hard to do a great deal on the Internet without downloading and installing something. In many cases you have to fight to get the program you want without also getting a "download manager" you do not want. If you don't look real closely you may also have opted-in for services you never heard of by not unchecking a box.

All this still leaves out man-in-the-middle attacks providing code injection at nodes your connection passes through on the way to the site you want. These can even push the button for you if you don't select what the attacker wants. Trying to untangle the legal liabilities in such a case is almost hopeless.

We still have not exhausted the possibilities.

I can't let this thread go without sharing a story about one person who told me he never had trouble with malware on Windows. A few months after making this statement he called me in a panic, saying his computer was speaking Arabic to him. This was sufficiently unusual and interesting enough so that I made a trip to his house. As advertised, when we turned up the audio on that machine we heard what sounded like a telephone conversation in Arabic. There were two male voices. I caught a few words, but couldn't tell you what they were discussing. It sounded like a business conversation.

His machine was too far gone for me. I told him to buy the Fix-Me-Stick and run it. It ran for 10 hours, and found so much that it was impossible to guess which malware provided the Arabic Internet telephone service.

One of the few things I could not get people to understand is that the mailbox is THE primary gateway into a computer. If you pick up and sort your mail at the server, rather than downloading mail, about 90% of all problems magically disappear (W98 days). So that meant to TOSS Outlook (Express) or better yet, never install it. A month with Mail 1.1 (W95.2) with its ibx and obx extensions will confirm. Good-bye D/L mail, hello server.

But this new security-ware like AdBlock(Edge)... does it just remove the pix, or does it actually block coding like NoScript? NFN, but its taking up 25MB on a / size of 460MB (about 5.5%). In M$-bloatware 25MB is nada, but Puppyware is a bit more lean... just a wee bit. _________________Linux user #498913

To be fair some of the punters are getting clickjacked , or drive-by-downloads , so gross-stupidity is not a necessary requirement to download malware.

Yes perhaps my language was a bit strong there.... I meant the ...'do you wish to download/run this software' warnings being ignored when unsolicited as well as wanting shiny thingies. And of course those 'your computer is faulty...we will fix it'. stuff.

Seems like kids need educating about this at school and what to look out for (stuff most here will be well aware of and ignore) and then they tell their parents. Humans can make very effective antivirii tools.

Email as the source of most evil...yes outlook express is a major culprit...sad the tale of the woman who said she got a new laptop...got a few emails ...one of them stuffed the machine...it was put away and not used since...what a waste and all because of THAT program.
It also means I find so many are reluctant to use emails at all and prefer to communicate via say facebook....another great waste of a really useful tool. MS blunders cause whole cultural shifts. By the way since using thunderbird since 0.6 not a sniff of a problem.

I must also mention after removing all that gateway 'software' I did occasionally download and run something dodgy.... the dark days of file sharing I must admit. Such nasties sat their gobbling 100% cpu but failed to totally entrench or spread themselves further...why?...It appeared that they were looking for the very software (programs and related active x controls to be more specific) I had removed. All I had to do was kill the process and delete the file in question and no further harm done. In other words these 'gateways' work both ways both to get in and allow spreading elsewhere....all the more reason to neutralise and remove.

I have XP installed on my desktop PC, but almost always run Puppy instead.

Are there any detailed instructions available about what I should do to XP to make it save.
So far:
I seldom use it to go online, and NEVER use it to fetch emails.
Installed Time Freeze so I can choose to NOT SAVE session changes in XP.

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forumYou cannot attach files in this forumYou can download files in this forum